Be careful of ForwardedHeaderFilter. Don't use it with Jetty and Jetty's default ForwardedRequestCustomizer. They essentially do the same thing, but the Filter + Wrapping approach isn't 100% compatible with 100% of requests (external and internal).
I would recommend using the ForwardedRequestCustomizer only, as it does the correct changes to your Request before the Request even reaches your ServletContext. That way it will work on all requests, even internal dispatched ones, request logging, and even on error handling (inside and outside of your ServletContext). Having both DoSFilter and QoSFilter in the same chain is unusual (but not impossible, nor problematic) DoSFilter is typically used to control all requests on all url-patterns. QoSFilter is typically used to control slow behavior on specific url-patterns that are known to take too much time. (like big database queries) DoSFilter is the sledgehammer, QoSFilter is the scalpel. If you DoSFilter, there's very little need for QoSFilter. (you are covered) And if you understand your webapp well enough to use QoSFilter properly, there's not much need for DoSFilter. As for where Spring Security should sit in the chain... Most people protect all components that have external access (like a LDAP server) on their webapp when selecting to use DoSFilter or QoSFilter. If your Spring Security has an external system dependency, then protect it too. Joakim Erdfelt / [email protected] On Tue, Oct 15, 2019 at 1:09 PM Jared Wiltshire < [email protected]> wrote: > Can anyone offer any guidance on the usage of QoSFilter and DoSFilter. > Specifically, should they be used together and if so in which order? > > I noticed that the DoSFilter has getPriority(HttpServletRequest, > RateTracker) method which can be overridden and looks to provide the same > functionality as the QoSFilter. > > We use Spring Security so I would assume my filter order should be > > 1. ForwardedHeaderFilter > 2. Spring security > 3. DoSFilter > 4. QoSFilter > 5. ... > > Thanks, > Jared Wiltshire > Infinite Automation > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
